Stan A. Einstein wrote:

Amberexile wrote:Back to the original topic, I believe if the Trust were to publish a list of members now, it would constitute a data breach under GDPR.

But the trust are already publishing a list of shareholders. And have done so for the last four years.

You'd have to ask them about their GDPR governance.

It wasn't in potential breach of GDPR for the first 2½ to 3 years of that timeframe because the legislation wasn't enforced until May 2018, though I don't recall being asked for consent since GDPR came in by either the club or the Trust.

I've mentioned before that regular cleansing of customer data is useful for comms (and linking with other lists) as well as compliance.

Stan A. Einstein wrote: My spam folder holds span until I delete it. I have no idea how you know what Frank's does. Perhaps you'd enlighten us?

I guess it does depend who your provider or what system you're using. I was referring to Gmail, as it has a billion users and is significantly more likely to be the system in use than any other.

However, as I just checked my Google spam/junk, and it's a month not a week - so they would be there anyway. So we can strike that one from the record, especially as Fred Niblet 4 (sic) has replied to say he's checked.

Help me. What legislation? Just tell me the Act and I will read it and give you my opinion.

Thanks.

Data Protection Act 2018 (specifically Chapter 2). Pretty much every business and organisation in the UK has been affected by it, surprised you weren't already aware tbh.

SJG99 wrote:

Frank Nouble 3 wrote:

SJG99 wrote:I can only repeat that you should check your spam folder. No-one seems to have come back to say they have yet...

SLG 99

Sorry but we are not Morons

No mail from the Trust in my Spam folder.

Not a moron... but not great at reading 5 character usernames.

Incidentally your Spam folder only holds them for a week, so you probably wouldn't have by now anyway.

A little pedantic me thinks!

My system highlights both regular and spam mails which I check numerous times each day.
Please note I have never received any mail from the trust since the 21st September.
If that is not good enough for you I give up with you

SJG99 wrote:

Stan A. Einstein wrote: My spam folder holds span until I delete it. I have no idea how you know what Frank's does. Perhaps you'd enlighten us?

I guess it does depend who your provider or what system you're using. I was referring to Gmail, as it has a billion users and is significantly more likely to be the system in use than any other.

However, as I just checked my Google spam/junk, and it's a month not a week - so they would be there anyway. So we can strike that one from the record, especially as Fred Niblet 4 (sic) has replied to say he's checked.

Fred Niblet 4 Ho Ho Ho Belly laughs abound.

SJG99 wrote:Data Protection Act 2018 (specifically Chapter 2). Pretty much every business and organisation in the UK has been affected by it, surprised you weren't already aware tbh.

I don't live in the UK and haven't since 2017. I will read the legislation and let you know my opinion.

On my reading Article 6.1(f) would seem to say that a third party with a legitimate interest can be given the information subject to the proviso of proportionality.

That being so trust members being electors can be identified as such. Not being proportional would entail giving out information such as criminal convictions.

Which is why, as I suspected, Newport County can list the names of its employees in the programme.

I will review it in due course and look forward to any other, informed opinions.

Stan A. Einstein wrote:On my reading Article 6.1(f) would seem to say that a third party with a legitimate interest can be given the information subject to the proviso of proportionality.

That being so trust members being electors can be identified as such. Not being proportional would entail giving out information such as criminal convictions.

Which is why, as I suspected, Newport County can list the names of its employees in the programme.

I will review it in due course and look forward to any other, informed opinions.

The proportionality aspect of Article 6.1(f) (which refers to the proportionality between the interests of the data subject and the legitimate interests pursued by a third party) only comes into play after a legitimate interest has been established. In order to establish a legitimate interest, the controller must consider whether the data subject could reasonably expect their personal data to be processed in this way at the time it was collected and in the context it was collected.

If a prospective director pursued a legitimate interest in my personal data collected by the Trust many years ago in order to canvas me in relation to trust elections, the data controller would first need to consider whether I would have reasonably expected this when the information was collected. If I recall correctly, the information held on me by the Trust probably flowed through from my membership of Lifeline under the previous incarnation of the club. The data controller would have to consider whether when I when I gave up that information I would have reasonably expected my information collected in the context of joining Lifeline to be given to a prospective candidate for Trust elections some 30+ years later. That's just me, the circumstances of data collection for the other 1500(ish) members will have occurred under a number of different scenarios and then you have to consider the extra protection given to members under the age of 18.

Next comes the test of necessity. Even if a legitimate interest were to be established, it has to be considered whether processing the data in this way is necessary or whether there are other, less intrusive, ways of fulfilling the legitimate interest.

Only then does proportionality come into play and the controller needs to consider whether the third party's legitimate interest is overridden by the fundamental rights of the data subject.

Amberexile wrote:

Stan A. Einstein wrote:On my reading Article 6.1(f) would seem to say that a third party with a legitimate interest can be given the information subject to the proviso of proportionality.

That being so trust members being electors can be identified as such. Not being proportional would entail giving out information such as criminal convictions.

Which is why, as I suspected, Newport County can list the names of its employees in the programme.

I will review it in due course and look forward to any other, informed opinions.

The proportionality aspect of Article 6.1(f) (which refers to the proportionality between the interests of the data subject and the legitimate interests pursued by a third party) only comes into play after a legitimate interest has been established. In order to establish a legitimate interest, the controller must consider whether the data subject could reasonably expect their personal data to be processed in this way at the time it was collected and in the context it was collected.

If a prospective director pursued a legitimate interest in my personal data collected by the Trust many years ago in order to canvas me in relation to trust elections, the data controller would first need to consider whether I would have reasonably expected this when the information was collected. If I recall correctly, the information held on me by the Trust probably flowed through from my membership of Lifeline under the previous incarnation of the club. The data controller would have to consider whether when I when I gave up that information I would have reasonably expected my information collected in the context of joining Lifeline to be given to a prospective candidate for Trust elections some 30+ years later. That's just me, the circumstances of data collection for the other 1500(ish) members will have occurred under a number of different scenarios and then you have to consider the extra protection given to members under the age of 18.

Next comes the test of necessity. Even if a legitimate interest were to be established, it has to be considered whether processing the data in this way is necessary or whether there are other, less intrusive, ways of fulfilling the legitimate interest.

Only then does proportionality come into play and the controller needs to consider whether the third party's legitimate interest is overridden by the fundamental rights of the data subject.

It is difficult to see how any tribunal could hold it to be unreasonable for the name of a person who is an elector in an organisation of those who wish to hold office that organisation, that the name of that elector should be withheld from said candidate. Especially when it is considered that one of the advertised benefits is having a vote. For that reason alone I believe you are wrong. Indeed imagine this scenario. A serving director is standing for election and is opposed by a person not a director. The serving director has access to the electorate the non director does not. I simply can't imagine any trust court or tribunal holding that that situation is equitable.

Further it is difficult because that would require the officer tasked with data protection to have overlooked the fact that the names of all trust shareholders remains published. Furthermore the legislation, while admittedly seeming to have a potentially worrying overly wide construction seems to be aimed mainly at third party commercial interests ( That being the selling of information between say by way of example, the manufactures of cutlery to the makers of plates) rather than between members of a club, trust or similar.

However if I am wrong, the difficulty is easily overcome. Simply ask for the consent of members of the Trust when they fill in their application to join. I don't think I am wrong, but as any good lawyer would, I try to cover every eventuality.

I've explained how GDPR works in practice. The reality of it is that the data controller will make decisions with reference to the GDPR training and advice they have been given.

In the scenario you paint, the names alone would be of no use to somebody wishing to canvas, in order to make contact, email addresses or postal addresses would be needed. In deciding whether to hand over the personal information of members without their consent, the data controller will go through the process I outlined in my earlier message. In my view they will decide that there is no legitimate interest that requires the divulging of personal information because a less intrusive fulfilment can be found. That is the data controller will offer all candidates the opportunity to have canvasing materials forwarded by the Trust to all members who have given consent to be contacted by email. That way the personal data is protected and used within the bounds of consent granted, the interests of all candidates are fulfilled equitably and the data controller has fulfilled their obligations under GDPR.

With regards to the publishing of community share register, the use to which the personal information collected when applying for community shares would be put was set out in the share offer document an appendix to which was signed by applicants in order to buy the shares. When signing the application we accepted the terms in the offer document including the stated uses of the personal information provided. Whether publishing the register goes beyond the uses set out is open to debate.

Amberexile wrote:I've explained how GDPR works in practice. The reality of it is that the data controller will make decisions with reference to the GDPR training and advice they have been given.

In the scenario you paint, the names alone would be of no use to somebody wishing to canvas, in order to make contact, email addresses or postal addresses would be needed. In deciding whether to hand over the personal information of members without their consent, the data controller will go through the process I outlined in my earlier message. In my view they will decide that there is no legitimate interest that requires the divulging of personal information because a less intrusive fulfilment can be found. That is the data controller will offer all candidates the opportunity to have canvasing materials forwarded by the Trust to all members who have given consent to be contacted by email. That way the personal data is protected and used within the bounds of consent granted, the interests of all candidates are fulfilled equitably and the data controller has fulfilled their obligations under GDPR.

With regards to the publishing of community share register, the use to which the personal information collected when applying for community shares would be put was set out in the share offer document an appendix to which was signed by applicants in order to buy the shares. When signing the application we accepted the terms in the offer document including the stated uses of the personal information provided. Whether publishing the register goes beyond the uses set out is open to debate.

As I said I hold one view, you hold another.

However two points. The idea that the Trust have appointed a data control officer is for the birds.

Secondly if I am wrong and you are right the situation is easily resolved by simply seeking consent. Or at least it would be if the Trust get around to appointing a data control officer.

Stan A. Einstein wrote:

Amberexile wrote:I've explained how GDPR works in practice. The reality of it is that the data controller will make decisions with reference to the GDPR training and advice they have been given.

In the scenario you paint, the names alone would be of no use to somebody wishing to canvas, in order to make contact, email addresses or postal addresses would be needed. In deciding whether to hand over the personal information of members without their consent, the data controller will go through the process I outlined in my earlier message. In my view they will decide that there is no legitimate interest that requires the divulging of personal information because a less intrusive fulfilment can be found. That is the data controller will offer all candidates the opportunity to have canvasing materials forwarded by the Trust to all members who have given consent to be contacted by email. That way the personal data is protected and used within the bounds of consent granted, the interests of all candidates are fulfilled equitably and the data controller has fulfilled their obligations under GDPR.

With regards to the publishing of community share register, the use to which the personal information collected when applying for community shares would be put was set out in the share offer document an appendix to which was signed by applicants in order to buy the shares. When signing the application we accepted the terms in the offer document including the stated uses of the personal information provided. Whether publishing the register goes beyond the uses set out is open to debate.

As I said I hold one view, you hold another.

However two points. The idea that the Trust have appointed a data control officer is for the birds.

Secondly if I am wrong and you are right the situation is easily resolved by simply seeking consent. Or at least it would be if the Trust get around to appointing a data control officer.

You are right about being able to resolve the issue by seeking consent. Not simple though because if not everybody gives consent the data controller has to manage the exceptions.

You are wrong about everything else.

Amberexile wrote:

Stan A. Einstein wrote:

Amberexile wrote:I've explained how GDPR works in practice. The reality of it is that the data controller will make decisions with reference to the GDPR training and advice they have been given.

In the scenario you paint, the names alone would be of no use to somebody wishing to canvas, in order to make contact, email addresses or postal addresses would be needed. In deciding whether to hand over the personal information of members without their consent, the data controller will go through the process I outlined in my earlier message. In my view they will decide that there is no legitimate interest that requires the divulging of personal information because a less intrusive fulfilment can be found. That is the data controller will offer all candidates the opportunity to have canvasing materials forwarded by the Trust to all members who have given consent to be contacted by email. That way the personal data is protected and used within the bounds of consent granted, the interests of all candidates are fulfilled equitably and the data controller has fulfilled their obligations under GDPR.

With regards to the publishing of community share register, the use to which the personal information collected when applying for community shares would be put was set out in the share offer document an appendix to which was signed by applicants in order to buy the shares. When signing the application we accepted the terms in the offer document including the stated uses of the personal information provided. Whether publishing the register goes beyond the uses set out is open to debate.

As I said I hold one view, you hold another.

However two points. The idea that the Trust have appointed a data control officer is for the birds.

Secondly if I am wrong and you are right the situation is easily resolved by simply seeking consent. Or at least it would be if the Trust get around to appointing a data control officer.

You are right about being able to resolve the issue by seeking consent. Not simple though because if not everybody gives consent the data controller has to manage the exceptions.

You are wrong about everything else.

Read the case of N. It's an immigration case. The intellectual dishonesty that appellate courts are capable of as demonstrated in the above case shows clearly that when it comes to predicting statutory interpretation only a complete idiot would be certain of their case before hand.

Believe me on this one, I know from bitter experience.

Maybe so but you are still wrong about Article 6.1(f).